See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/45927120

The Application of AHP Model to Guide Decision Makers: A Case Study

of E- banking Security

Article · July 2010

DOI: 10.1109/ICCIT.2009.251 · Source: arXiv

CITATIONS
READS
14
500

2 authors:

Irfan Syamsuddin
Junseok Hwang
Politeknik Negeri Ujung
Pandang Seoul National University

25 PUBLICATIONS 229 CITATIONS 162 PUBLICATIONS 1,400 CITATIONS

Some of the authors of this publication are also working on these related projects:

e-Science Models and Research Life Cycle-How will it affect the Philippine Community View project

low cost cloud computing infrastructure View project

All content following this page was uploaded by Junseok Hwang on 24 July 2014.
The user has requested enhancement of the downloaded file.
 2009 Fourth International Conference on Computer Sciences and Convergence Information Technology
The Application of AHP Model to Guide Decision Makers:
A Case Study of E-Banking Security
Irfan Syamsuddin
State Polytechnic of Ujung Pandang
Makassar, Indonesia
e-mail: irfans@poliupg.ac.id
Abstract—Changes in technology have resulted in new ways for
bankers to deliver their services to costumers. Electronic
banking systems in various forms are the evidence of such
advancement. However, information security threats also
evolving along this trend. This paper proposes the application
of Analytic Hierarchy Process (AHP) methodology to guide
decision makers in banking industries to deal with information
security policy. The model is structured according aspects of
information security policy in conjunction with information
security elements. We found that cultural aspect is valued on
the top priority among other security aspects, while
confidentiality is considered as the most important factor in
terms of information security elements.
Information security; policy; decision making; AHP
I. INTRODUCTION
Changes in technology have resulted in new ways for
bankers to deliver their services to costumers. Now, we are
witnessing rapid development in banking industries to
enable electronic payment through Internet as an example.
Although there have been significant advancement, the
main problem remains the same, security and privacy.
Banking industries play a significant role to ensure all
financial transactions in digital form are adequately secured
from any possible threats. However, there have been no
single technical solutions available to handle all security
issues in banking sector. It is even worsened if such security
issues are regarded only from technical perspectives as
confirmed in [1].
In the case of banking industries, better management of
information security has been realized as an important factor
to ensure safety of all financial transactions. Under IT
management umbrella, we found several terms such as
information technology governance, information security
management, and information systems audit. In order to
fulfill the requirements, banking industries follow several
international standards to comply with, such as COBIT and
ISO 27001.
The case study base on Indonesian banks which have
implemented information security policy and audit systems
based on COBIT or ISO 27001. COBIT or Control
Objectives for Information and related Technology is a
framework consists of a set of best practices for IT
978-0-7695-3896-9/09 $26.00 © 2009 IEEE DOI 10.1109/ICCIT.2009.251
Junseok Hwang
Seoul National University
Seoul, Republic of Korea
e-mail: junhwang@snu.ac.kr
management with a subset of information security and
assurance part [3]. Likewise, ISO 27001 is an international
standard for information security management with best
practice recommendations on information security
management, as well as risks and controls within the context
of an overall Information Security Management System
(ISMS).
Deciding appropriate information security policy is not
an easy task since there are many aspects should be
considered appropriately. Therefore, there is a strong
requirement to assist evaluation in this field.
We propose an evaluation method based on Analytic
Hierarchy Process (AHP) which considering all relevant
aspects of information security as a guidance framework.
The following section describes the main concept of AHP.
In section 3, we discuss two security cases of Indonesian
banks. Then our analysis and discussion of the findings are
provided in section 4. Finally, some concluding remarks are
given at the end.
II. ANALYTIC HIERARCHY PROCESS
Analytic Hierarchy Process (AHP) is originally
introduced by Saaty in [4] as a excellent MCDM (multi
criteria decision making) tool which was acknowledged by
many researchers as can be seen in [8].
One of the main advantages of Saaty’s AHP is it’s
simplicity compare toprevious decision support methods. It
also enables qualitative and quantitative into the same
decision making methodology by giving a basis for eliciting,
discussing, recording, and evaluating the elements of a
decision. It uses hierarchal way with goals, sub goals or
factors and alternatives.
The structure will be then translated into a series of
questions of the general form, ‘How important is criterion A
relative to criterion B?’. The input to AHP models is the
decision maker’s answers to a series of questions is then
termed pairwise comparisons. Questions of this type may be
used to establish, within AHP, both weights for criteria and
performance scores for options on the different criteria.
It is assumed that a set of criteria has already been
established based on AHP model. For each pair of criteria,
the decision-maker is then required to respond to a pairwise
comparison question asking the relative importance of the
1469
two. Responses are gathered in verbal form and  Aggregation of weights across various levels to
subsequently codified on a nine-point intensity scale [4][8] obtain the final weights of alternatives.
as follows:
TABLE I. AHP PAIRWISE COMPARISON VALUES III. SECURITY ISSUES ON E-BANKING IN INDONESIA
How important is Comparison
A relative to B? Value The term electronic banking (or remote banking) is
referred to the remotely conduct of traditional innovative
Equally important 1 banking activities with the use of electronic means [2].
In this section, two cases of internet banking security are
weakly more important 3 discussed, BCA and Lippo Bank. The first case is BCA
(Bank Central Asia) security incident in 2001.
strongly more important 5 The BCA case was basically known as “typo squatting”
or URL hijacking. This type of attack relies on mistakes
very strongly more 7 such as typographical errors made by Internet users when
important inputting a website address into a web browser. In this case,
the attacker of BCA bought and managed several domain
absolutely more 9 names (such as kilkbca.com kikbca.com, etc) slightly
important different to original one (klikbca.com). Then, all these fake
websites were designed exactly the same with the original
BCA website.
The value in between such as 2,4,6,8 are intermediate
values that can be used to represent shades of judgement
between those five basic assessments. If the judgment is that
B is more important than A, then the reciprocal of the
relevant index value is assigned, for example if B is
considered to be strongly more important (5) than A as a
criterion for the decision than A, then the value 1/5 (or 0.2)
would be assigned to A relative to B.
In some cases, judgments by the decision maker are
assumed to be consistent in making decision about any one
pair of criteria and since all criteria will always rank equally
when compared to themselves, it is only ever necessary to
make 1/2n(n – 1) comparisons to establish the full set of
pairwise judgments for n criteria.
Then the results of all pairwise comparisons is stored in Figure 2. Original BCA website
an input matrix A = [a ij] that is an n x n matrix. The element
a ij is the intensity of importance of criterion ni compared to This kind of attack exploit typographical errors made by
criterion nj. The following figure shows a typical matrix for BCA internet users. Then, for those who mistyped the BCA
establishing the relative importance of three criteria: website, they were automatically directed to the fake
website without realizing it since they saw exactly similar
web presentation as the original BCA website.
1 3 5 This case obviously shows that internet banking still
leave security holes that should not be underestimated by
1/3 1 7 decision makers in banking industries.
The second example was LIPPO Bank case. It was in
1 2006 when several security professionals in Indonesia found
1/5 1/7
and then reported security hole in LIPPO internet banking
systems. The problem was coming from weakness on PIN
distribution mechanism (see figure 3).
Figure 1. AHP pairwise matrix.

In short, according to [8] one should follow four simple

steps below in order to apply AHP method for guiding
decision making process:
 Structure the problem into hierarchy. Figure 3. Security hole on LIPPO internet bank
 Comparing and obtaining the judgment matrix. Since customers may it is called VPIN) through ATM
 Local weights and consistency of comparisons. create their PIN (in this case machine, illegal persons may

147
access internet access and
change the number as
reported in several stolen
money through internet.
Based on both cases,
we might see how
information security
policy plays a significant
role to design proper
internet banking service
by considering all
Economy - Return of Security
Security investment is information security that
- Economic impact of in [18] to
discussed should be fulfilled in
security breaches
determine the optimal balance to guarantee
Culture - Security impact of such appropriate security and
- Security investment and its privacy controls within an
- Organizational
extensional effect organization [22].
[19] on information security.
Managerial aspect of Cultural aspect of TABLE III.
information security is one information security
of several critical success represents the role INFORMATION SECURITY
factors of business changing culture in
ELEMENTS

aspects. organisation [9]. It covers digital era and its Elements

strategic IT governance with relationship with Confidentiality - control discl
IV. AN emphasis in security and security awareness of informatio
AL privacy and also evaluation through education - authorize per
YSI in the form of IT auditing. [20]. It should become Integrity - data intact (n
S As a result of its vital an embedded culture - authorize per
This part describes the function, it is too risky to by individual within Availability - data availab
construction of AHP run a business the organization [21]. - authorize per
model, analysis of the Then, in terms of
model and result and the second category
discussion. which is information Table 3 represents the
security elements, we three security elements of
A. Information Security suggest CIA which CIA with specific
Policy Model stands confidentiality, attributes of each. Then,
In order to develop integrity and based on table 2 and 3,
the model, first we availability. It is we develop information
classify information applicable for our security policy evalustion
security related literatures model since these model by following AHP
into two main groups. triangle elements structure as can be seen in
First category is called should become figure 4.
information security fundamental concern
aspect and the second one in all aspects
B. AHP Analysis
is information security mentioned before [23].
elements. This is also due to
widely recognition of In this study, we use
Further, information
CIA by security Web-HIPRE, a free
security aspect can be
practitioners as three applet based software to
classified into four main
basic elements of generate and analyze the
aspects, namely
AHP model [6].
management, technology,
without appropriate short, technology is the
economic and cultural
assurance for the security critical point with
aspects of information
of its information systems respect to information
security as can be seen in
operations [10]. security.
the following table.
Similarly, In terms of economy
TABLE II. technological aspect of of information security,
information security such it is affirmed that
INFORMATION as computer security [11], economic considerations
SECURITY ASPECTS wired and wireless are important factor in
Aspects network security [12][13], recent information age
and internet security [14], [1][7] which should be
Management - IT Governance
is a first consideration to included to as additional
- Audit Information
develop secure view point to
- Data classification information systems. This strengthening
- Access also can be seen from information security.
Technology - Software tremendous efforts to
- Network improve security quality
- Internet by applying intrusion
detection systems [15][16]
and cryptography [17]. In

147
 delivering the services. proportion rather
Therefore, it is not confidentiality and
surprisingly when we found integrity. It is found that
that among other security decision makers in banks
Figure 4. Structuring AHP
model in Web-HIPRE
elements, availability has put more concern on
least confidentiality which
Fig. 4 shows the first accounted for 0.449 as
AHP step to generate the the top priority. Integrity
information security is the middle priority in
policy model. banking industries which
Subsequently, all accounted for
responses from approximately 0.346 and
respondents (CIO availability is the last one
representatives of each As mentioned earlier, with 0.206.
banks) are put into the confidentiality is the top Confidentiality of
comparison window on priority consideration by financial data in banking
each factor. The decision makers in banking industries has become a
following figure shows industries, which accounted crucial point in order to
qualitative result of for 0.449. It is followed by prevent disclosure of
composite overall integrity and availability information to
priorities in Web-HIPRE. which both represent 0.346 unauthorized individuals
and 0.206 respectively. or systems. Attacks in
this area have been found
in several reports which
caused huge financial lost
[24]. Similarly, banking
industries also emphasize
the important of data
integrity by applying
appropriate mechanism to
guarantee that data cannot
be modified without
authorization only by
authentic persons.
In addition, with respect Therefore, it is reasonable
Figure 5. to information security why these two elements
Overall aspects, we found that of information security
AHP decision makers in banking are highly appreciated in
priorities industries emphasize the this sector.
importance of cultural and Furthermore, in terms
As can be seen, economy aspect with the
confidentiality is the of four information
value of 0.369 and 0.341. security aspects, we
highest priority among These are far higher that the
other two elements. found cultural aspect is
last two aspects of the most important
Additionally, culture and management and technology
economy are two criteria among others
which only accounted for which accounted for
important aspects of 0.177 and 0.114
information security. The 0.369. The second
respectively. priority is economy of
following table confirms
the final result 0.341, followed by
(quantitatively) of Fig 5 C. Discussion management (0.341) and
in more details. technological aspects
Information security
which both accounted for
with four main aspects has 0.177 and 0.114.
been accommodated
TABLE Decision makers
properly through this model.
IV. found that it is the time
RESULT As a significant industry in
when culture in terms of
the country, banks are behavior and education
among the first mover
play more significant role
institution to apply in banking sectors.
information technology in
Previous cases also

147
reflect this aspect decision makers in the
on how important is past. At the moment, it
security culture in already has
cyber era. operational standard
Costumers should on how to operate and
be well informed guarantee secure
on how to perform financial transaction
safe financial from technical point of
transaction on view.
internet banking. In
short it is
reasonable for V. C
putting cultural O
NC
aspect on the top LU
priority among SI
others. O
As a core N
financial institution Analytic Hierarchy
in the nation, banks Process can be used to
put serious concern help decision makers
on economical in banking sector
aspect of analyzing information
information security policy from
security threats. macro level
Security problems perspective. This
will potentially study justifies that the
damage reputation application of AHP
of any banking method in information
industries. Lack of security is reasonable
trust on banking and it provides a
systems will bring robust and
negative impact to encompassing
economy. For that treatment for decision
reason, economy is makers in both
considered as the qualitative and
second priority. quantitative ways.
In terms of From information
managerial security aspect
perspective, perspective, the top
banking industries priority is cultural
have been widely aspect then followed
known with better by economy,
management management and
compare to other technology
institutions. This is respectively. Then, in
similar technology terms of information
aspect which is the security element,
least portion found decision makers in
in this study. Banks baking
have been
recognized with
more sophisticated
information and
computing
technology since
the beginning era of
its development.
Technological
advancement was
the focus of

147
industries emphasize the importance of confidentiality as the [17] K.G. Paterson, “Cryptography from Pairings: A Snapshot of Current
top consideration, followed by integrity as the middle Research”, Information Security Technical Report, vol. 7, issue 3,
2002, pp. 41-54
priority and lastly availability.
[18] L.A. Gordon, and M.P. Loeb, “The Economics of Investment in
Information Security”, ACM Transactions on Information and System
Security, vol. 5, no. 4, 2002, pp. 438-457.
[19] L.A. Gordon,, M.P. Loeb, and W.Lucyshyn, “Sharing Information on
ACKNOWLEDGMENT Computer Systems Security: An Economic Analysis”, Journal of
Accounting and Public Policy, vol 22, no. 6. 2003, pp. 461-485
The authors would like to thank ITPP Seoul National
[20] M.E. Thomson, and R. von Solms, “Information security awareness:
University for generous supports. Also, for anonymous educating your users effectively”, Information Management and
reviewers for their valuable comments and suggestions, Computer Security, vol. 6, no. 4, 1998, pp. 167–173.
which are very helpful in improving the paper. [21] T. Schlienger, and S. Teufel, “Information Security Culture: The
Socio-Cultural Dimension in Information Security Management”,
Proceedings of the IFIP TC11 17th International Conference on
Information Security, 2002, pp. 191 - 202
REFERENCES [22] G. Dhillon, and J. Blackhouse, “Current directions in IS security
research: towards socio-organizational perspectives”, Information
Systems Journal, vol. 11, no.2, 2001, pp.127-53.
[1] R. Anderson, “Why Information Security is Hard : An Economic [23] T. Peltier, Information Security Risk Analysis, Auerbach
Perspective”, Proceedings of 17th Annual Computer Security Publications, 2001 CRC Press, USA.
Applications Conference 2001, pp. 10-14.
[24] CSI, CSI 2008 Survey, [Online document],[cited 2008 December 27]
[2] Basle Committee, "Risk Management Principles for Electronic Available HTTP http://www.gocsi.com
Banking" Basel Committee Publications, No. 98, July 2003, Bank for
International Settlements.
[3] B. von Solms, “Information Security governance: COBIT or
ISO 17799 or both?”, Computers & Security 1473
vol. 24, issue 2, 2005, pp. 99-104
[4] T.L. Saaty, “The Analytic Hierarchy Process”, RWS Publications,
Pittsburgh, PA..1990
[5] J. Leiwo, C. Gamage, and Y. Zheng, “Organizational modeling for
efficient specification of information security requirements”, View publication stats

Advances in Databases and Information Systems: 3rd East European

Conference, ADBIS'99, Maribor, 1999, pp.247-60.
[6] J. Mustajoki, and R.P. Hämäläinen,, “Web-HIPRE: Global decision
support by value tree and AHP analysis”, INFOR, vol. 38, no. 3,
2000, pp. 208-220
[7] S.E. Schecter, and D.S. Michael, “How much security is enough to
stop a thief ? The economics of outsider theft via computer systems
networks”, Proceedings of the Financial Cryptography Conference,
Guadeloupe. 2003, pp. 122-137.
[8] F. Zahedi, “The analytic hierarchy process—a survey of the method
and its applications”, Interfaces; vol.16, no. 4, 1986, pp. 96–108.
[9] R. Filipek, “Information security becomes a business priority”,
Internal Auditor, vol. 64, no.1, 2007 pp.18-21..
[10] M. Zviran, and W. Haga, “Password security: an empirical study”,
Journal of Management Information Systems, vol. 15 no.4, 1999,
pp.161-85.
[11] C.E. Landwehr, “Formal Models for Computer Security”, ACM
Computing Surveys, vol. 13, issue 3, 1981, pp. 247-278
[12] S.D. Chi, J.S. Park, K.C. Jung, and J.S. Lee, “Network Security
Modeling and Cyber Attack Simulation Methodology, in Information
Security and Privacy", Lecture Notes in Computer Science, Springer
Berlin / Heidelberg, 2001, pp. 320-333
[13] W.A. Arbaugh, N. Shankar, Y.C.J. Wan, and K. Zhang, “Your
80211 wireless network has no clothes”, IEEE Wireless
Communications, vol. 9, issue 6, 2002. pp. 44-51
[14] A. Householder, K. Houle, and C, Dougherty, “Computer attack
trends challenge Internet security”, Computer IEEE, vol. 35, issue 4,
2002, pp. 5-7.
[15] T. Bauss, “Intrusion detection systems and multisensor data fusion”,
Communications of the ACM, vol. 43, issue 4, 2000, pp. 99 - 105
[16] A. Fuchsberger, “Intrusion Detection Systems and Intrusion
Prevention Systems”, Information Security Technical Report, vol. 10,
issue 3, 2005, pp. 134-139